close
AI-Powered Security Scanning

Your First AI Security Hire

Stop wasting hours on security reviews. Fenny scans your code, understands context like a senior engineer, and delivers actionable fixes — not just alerts.

  • Find vulnerabilities before hackers do
  • AI-powered auto-fix suggestions
  • Seamless GitHub integration
Connect GitHubSee How It Works

Free for public repos. No credit card required.

fenny-security.com/dashboard
Fenny Scan ResultsLive

SQL Injection in user.js:142

User input flows directly to query. High confidence.

Critical

Missing null check in api.js:89

Input validated upstream in middleware. False positive.

Dismissed

Outdated lodash dependency

Vulnerable method not used. Lower priority.

Medium
12 findings analyzed8 filtered as noise
AI

Everything you need to secure your code

From vulnerability detection to automated fixes, Fenny handles security so you can focus on building features.

Deep Code Analysis

Static analysis that goes beyond pattern matching. Understands data flow, control flow, and business logic.

AI-Powered Context

Our AI understands your codebase like a senior engineer, reducing false positives and prioritizing real threats.

Auto-Fix Magic

Get production-ready fix suggestions, not just alerts. Copy, review, and merge — security made easy.

Dependency Scanning

Full SCA coverage for npm, pip, maven, and more. Know exactly which packages put you at risk.

GitHub Native

PR comments, status checks, and automated scans. Security that fits your existing workflow.

Compliance Ready

Map findings to SOC 2, PCI DSS, HIPAA, and more. Generate audit-ready reports in one click.

How Fenny works

Get from zero to secure in four simple steps. No complex setup, no learning curve.

01

Connect

Link your GitHub repos with one click. We only request the permissions we need.

02

Scan

Fenny analyzes your code for vulnerabilities, misconfigurations, and dependency risks.

03

Review

Get prioritized findings with context. No more wading through false positives.

04

Fix

Apply AI-generated fixes directly or export to your issue tracker.

AI-First Architecture

Not just another scanner. Your AI security teammate.

Traditional scanners blast you with alerts. Fenny thinks like a security engineer — understanding context, filtering noise, and delivering fixes you can actually use.

Contextual Understanding

Unlike pattern-matching tools, Fenny understands your code's intent and business logic.

90% Fewer False Positives

AI filters out noise so your team focuses on real vulnerabilities, not chasing ghosts.

Smart Prioritization

Findings ranked by actual exploitability, not just severity scores.

Instant Fix Generation

Production-ready code fixes generated in seconds, reviewed by AI for correctness.

F

Fenny AI Analysis

Processing findings...

SQL Injection in user.js:142

Critical
User input flows directly to query. High confidence.

Missing null check in api.js:89

Dismissed
Input validated upstream in middleware. False positive.

Outdated lodash dependency

Medium
Vulnerable method not used. Lower priority.
12 findings analyzed8 filtered as noise
Latest Security Insights

Real Vulnerabilities, Real Fixes

Learn from security vulnerabilities we've discovered and fixed in production code

critical9 min

Critical Buffer Overflow in spdm_emu.c: How strcpy() on argv[1] Enabled Code Execution

A critical buffer overflow vulnerability was discovered in `spdm_emu/spdm_emu_common/spdm_emu.c` at line 638, where an unbounded `strcpy()` call copied a user-supplied command-line argument directly into the fixed-size buffer `m_ip_address_string` without any length validation. An attacker able to invoke the `spdm_emu` binary with an oversized argument could corrupt adjacent memory and potentially achieve arbitrary code execution. The fix replaces the unsafe `strcpy()` with a bounded `strncpy()`

Read More
critical7 min

Shell Injection in mkmultidtb.py: How String Concatenation with os.system() Enabled Arbitrary Code Execution

A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.

Read More
critical6 min

SQL Injection via SQLite's %s Format Specifier in LR2_statlong.cpp ReadPlayerScore()

A critical SQL injection vulnerability was discovered in `LR2/LR2_statlong.cpp` at line 42, where `sqlite3_snprintf` used the `%s` format specifier instead of `%q` to interpolate a player ID into a SQL query. This single-character difference meant that single quotes in the player ID were inserted verbatim, allowing an attacker to break out of the SQL string literal and inject arbitrary commands. The fix changes `%s` to `%q`, which doubles all single quotes to properly escape them.

Read More
critical7 min

Integer Overflow in edge_detect.c Heap Allocation Enables Camera-Based Exploit

A critical integer overflow vulnerability in `C/filters/edge_detect.c` allowed an attacker controlling a virtual V4L2 camera device to supply manipulated width/height dimensions that would silently wrap around to zero during multiplication, causing a drastically undersized heap allocation. Subsequent writes to this tiny buffer result in heap corruption, potentially enabling arbitrary code execution. The fix replaces the unsafe `malloc(w * h)` pattern with overflow-safe `calloc((size_t)w, (size_t

Read More
critical7 min

Stack Buffer Overflow in nvme-print.c: How sprintf() Threatened NVMe Device Security

A critical stack-based buffer overflow vulnerability was discovered in `nvme-print.c`, where multiple `sprintf()` calls wrote formatted output into fixed-size stack buffers without any bounds checking. The vulnerability was most dangerous in `nvme_pel_event_to_string()` at line 224, where a malicious NVMe device could supply unexpected event type values to trigger a buffer overflow enabling arbitrary code execution. The fix replaces all unsafe `sprintf()` calls with `snprintf()`, enforcing stric

Read More
critical8 min

Unbounded strcpy() in FreezeProject/fs.c: How Four Lines Fixed a Critical Buffer Overflow

A critical buffer overflow vulnerability was discovered in `FreezeProject/src/fs.c`, where a custom `strcpy()` implementation was used at four separate call sites to copy user-controlled filenames into fixed-size buffers without any length checking. An attacker could supply a filename longer than the destination buffer to corrupt adjacent memory, potentially hijacking control flow or crashing the filesystem. The fix introduces a bounded `safe_strncpy()` helper that enforces the `MAX_FILENAME` li

Read More
View All Security Insights

Compliance frameworks, covered

Map your security findings to industry standards. Generate audit-ready reports that satisfy your compliance team and auditors.

🔒

SOC 2

Type II Ready

💳

PCI DSS

Level 1 Compliant

🏥

HIPAA

Healthcare Ready

🛡️

OWASP

Top 10 Coverage

📋

ISO 27001

Information Security

One-Click Reports

Export findings mapped to specific compliance controls

Evidence Collection

Automatic documentation for audit trails

Continuous Monitoring

Stay compliant with every code change

Ready to secure your code?

Join thousands of developers who trust Fenny to find and fix vulnerabilities before they become problems. Get started in under 2 minutes.

Connect GitHubLearn More
Free for public reposNo credit card requiredSetup in 2 minutes